Exam CS0-003 topic 1 question 295 discussion

tcpdump. The keyword is "non-secured communication". tcpdump allows you to analyze the "malicious intent" over a "non-secured communication" as the traffic is readable.

IDS logs (Intrusion Detection System) are specifically designed to detect and log suspicious network activity, such as attempts to exploit non-secure channels. IDS can flag when sensitive data (like credentials) are transmitted insecurely or when known attack patterns are detected over the network.

The alert is about user accounts authenticating to the identity provider (IdP) over an insecure channel. To judge whether those connections are benign (misconfiguration) or part of an attack, the SOC needs to see who logged in, from where, how often, with what result, and over which protocol—all of which are captured in directory/IdP logs (e.g., Active Directory, Azure AD)

Why would you not check Directory these are user accounts

D. IDS (Intrusion Detection System) logs IDS logs are specifically designed to detect and log potentially malicious activity.

D - IDS. Best choice for detecting Malicious activity.

D. IDS An Intrusion Detection System (IDS) is designed to monitor network traffic for malicious activity. In this case, an IDS can detect non-secure connections to the identity provider, potentially indicating malicious intent. By analyzing the traffic patterns, the IDS can provide valuable insights into the nature of the attack, such as the source IP address, the affected user accounts, and the specific vulnerabilities exploited. While DNS, tcpdump, and directory logs can provide useful information, they are not specifically designed to detect malicious intent. DNS logs can show domain resolution, tcpdump can capture network traffic, and directory logs can show user authentication attempts, but they may not provide the level of context and threat intelligence that an IDS can offer.